-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I see the same problem. It is a bit of a mess because I too always set gpgcheck=1 and that means a hand edit of all the repo files to recover since many have changed in other ways as well. It seems like asking for trouble to set gpgcheck=0 as is the default.
Kelvin Raywood wrote: | Now that a couple of package updates (libtiff, libtiff-devel) have been | signed with the new SL signing key, a couple of issues have arisen that | are causing automatic updates to fail. | | In SL 5.1 (and possibly SL 5.0) the release number of the sl-release | package was not incremented and so those systems did not receive the new | keys. | | [email protected]> rpm -q --changelog sl-release | * Fri May 23 2008 Troy Dawson <[email protected]> - 5.1-2 | - Changed sources to be 51 instead of 5rolling | | ... | | ie, sl-release has been at at 5.1-2 since May 2008 | | The new version of the package is the same release number and the May | 23, 2008 entry from the changelog has disappeared. | | Another cause of update failures is that if the yum repo files have been | modified (e.g. to enable signature checking), then the update to | yum-conf added created .rpmnew files but left the modified files in | place. This is correct behaviour but it means that the path to the new | key is not in the .repo files and so security updates fail because the | repository now has packages signed with the new key. | | For some systems it is not sufficient to just fix the .repo files. If | they have missed the update to sl-release because they've been | offline, or because of the release number problem above, then updates | will continue to fail because they don't have the new key. The solutions | on any individual system is fairly straight forward; disable signature | checking or import the new keys manually. However at TRIUMF (and I | suspect other institutions) there are a large number of desktop PCs | managed by their owners; some of whom are less than diligent about | reading email sent to root about failing yum updates. | | When Fedora changed their signing key last year, they created new | repositories (i386.newkey, x86_64.newkey) and systems were updated in a | two-step. First the yum-conf package installed new .repo files pointing | at the new repositories. Then all new updates went to the new | repositories. This avoided update failures because of missing keys. | | Do most people just leave their signature checking disabled and so don't | have the problem or have I missed something obvious here? | | I'm a little surprised that this issue has not already been raised. | | Kel Raywood | TRIUMF - -- Robert E. Blair, Room C221, Building 360 Argonne National Laboratory (High Energy Physics Division) 9700 South Cass Avenue, Argonne, IL 60439, USA Phone: (630)-252-7545 FAX: (630)-252-5782 GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFKaKcwOMIGC6x7/XQRAlFHAKDD9DAyuNHC0H+jMkk09i7wF/bDzgCeOKrP hzO5h/5JYdHm2lPvFUDc6co= =Uk/X -----END PGP SIGNATURE-----
begin:vcard fn:Robert Blair n:Blair;Robert org:Argonne National Laboratory;High Energy Physics Division adr:;;Room E277, Building 362, 9700 South Cass Avenue;Argonne;IL;60439;USA email;internet:[email protected] title:Physicist tel;work:(630)-252-7545 tel;fax:(630)-252-5782 tel;home:(630)-495-3936 note;quoted-printable:Public GnuPG key available at: http://www.hep.anl.gov/reb/key.asc=0D=0A= x-mozilla-html:FALSE url:http://www.hep.anl.gov/reb version:2.1 end:vcard
